XML-RPC Brute Force Attack (WordPress Log Example + Fix)
See real system.multicall payloads targeting xmlrpc.php. Learn to detect WordPress brute force attacks instantly and secure your admin credentials.
Log Signature Detected: If you're seeing "POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0" (Payloa..." in your logs, your server may be under a Brute Force attack.
Think you're under attack?
Paste a snippet of your server logs below for instant AI verification.
Accepts raw text. Max 500 lines per scan.
Real Log Example
POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0" (Payload: system.multicall)
POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0" (Payload: wp.getUsersBlogs)
POST /xmlrpc.php HTTP/1.1" 200 431 "-" "Mozilla/5.0" (Payload: system.multicall)Does your log look like this? Paste it into Helix Vanguard for instant AI analysis.
Analyze Your Logs FreeNo signup required. End-to-end encrypted.
What Is a Brute Force?
Security analysts and DevOps teams monitoring infrastructure like Nginx, Apache HTTP Server, Node.js, AWS, and WordPress must be able to quickly identify and triage these malicious log patterns to prevent data breaches.
The xmlrpc.php file is a legacy WordPress feature that allows remote connections to a site. Because it allows multiple commands to be executed in a single HTTP request using the 'system.multicall' method, attackers heavily abuse it.
Instead of hitting the standard wp-login.php page and triggering traditional rate limiters, attackers send a single POST request to xmlrpc.php containing hundreds of username and password combinations. This is the WordPress equivalent of an sshd invalid user log analysis.
If you see a high volume of POST traffic directed exclusively at /xmlrpc.php from a single IP address, you are actively experiencing a credential stuffing attack.
How to Detect XML-RPC Brute Force Attack (WordPress Log Example + Fix) in Logs
The Payload: If you have deep packet inspection or WAF logging enabled, look for the string `
Volume: The logs will show a continuous, robotic cadence of POST requests (e.g., exactly one request every 3 seconds) as the script churns through a password dictionary.
Bypassing standard locks: Attackers use XML-RPC specifically because it often bypasses standard 'Limit Login Attempts' plugins that only monitor the wp-login.php page.
Brute Force Attack Detection Checklist
| Pattern | Indicator | Severity |
|---|---|---|
| system.multicall in POST body | Bulk credential testing payload | Critical |
| POST every 3 seconds to xmlrpc.php | Dictionary attack cadence | High |
| xmlrpc.php hammered, wp-login.php idle | Rate-limiter bypass strategy | Critical |
How to Defend Against This Threat
Disable XML-RPC completely if you do not use legacy mobile apps or Jetpack plugins.
Implement a Web Application Firewall (WAF) rule to block all requests containing 'system.multicall' in the payload.
Use fail2ban to monitor your access.log for high-frequency POST requests to xmlrpc.php.
Related Log Threats
Failed Password for Invalid User (SSH Log Example + Fix Guide)
See real SSH brute force payloads in your auth.log. Learn how to detect 'failed password' attacks instantly and block malicious IPs before breach.
Read guideSQL Injection in Nginx Logs (Detection Examples + Fix Guide)
See real SQL injection payloads (UNION SELECT, OR 1=1) in Nginx logs. Detect database attacks instantly and block malicious queries before data is exposed.
Read guideDirectory Traversal Attack Logs (/etc/passwd Examples + Fix)
See exactly how attackers use ../../../etc/passwd payloads in your web logs. Learn to detect directory climbing attacks instantly and secure your file paths.
Read guide